Basic VPN to Cisco ASA without authentication

Posted on 2009-05-06
Last Modified: 2012-05-06
Could anyone help me? I'm vaguely familiar (but certainly no expert) with the PIX, but this is my first ASA, and it's giving me grief! I've got most of it working, but I'm stuck on the VPN. We use VPN to PIX to access small sites without further authentication -- just group name and password and connect. (I know it's not good for security, but for what we do it works well, and often we have no other option anyway.)
Anyway, I can't get it to work on the ASA, but could really do with it, urgently!
Below are what I think are the relevant code fragments...
Could anyone please point me in the right direction... Please don't say it isn't possible any more!!
PIX code that seems to do the trick; comments in brackets are the bits the ASA turned its nose up at:-:

crypto ipsec transform-set transet1 esp-des esp-md5-hmac

crypto map outside_map 40 ipsec-isakmp dynamic dynmap

crypto map outside_map interface outside

isakmp identity address

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup lestac address-pool vpnpool (vpngroup depricated)

vpngroup lestac password secret (ditto)

vpngroup lestac dns-server yserver1 (ditto)

vpngroup lestac wins-server yserver1 (ditto)

vpngroup lestac default-domain harlow (ditto)

vpngroup lestac idle-time 1800 (ditto)

ASA "bits" I tried to use to replace the "depricated" PIX bits to get the same effect:-

tunnel-group lestac type ipsec-ra

tunnel-group lestac general-attributes

address-pool vpnpool

tunnel-group lestac ipsec-attributes

pre-shared-key secret

default-group-policy lestac

group-policy lestac attribues

wins-server value

dns-server value

default-domain value harlow.local

vpn-idle-timeout 1800

vpn-simultaneous-logins 10

vpn-tunnel-protocol IPSec

Open in new window

Question by:seworby
  • 2
  • 2
LVL 10

Expert Comment

ID: 24319983
For an ASA remote access VPN, you need pieces, three of which can be named the same: a group-policy, a tunnel-group, and a username. Here's a very basic example for vendor access:

# Create an ACL for vendor access to any destination
access-list vendor_acl extended permit ip any any

# Create a group policy
group-policy vendor internal

# Define the acl this policy will use
group-policy vendor attributes
  vpn-filter value vendor_acl

# Create the user
username vendor password *****

# Define the group policy and acl to control this user
username vendor attributes
  vpn-group-policy vendor
  vpn-filter value vendor_acl

# Define a tunnel group - type for remote access is 'ipsec-ra'
tunnel-group vendor type ipsec-ra

# Define the group characteristics
tunnel-group vendor general-attributes
  default-group-policy vendor

# Define the group password
tunnel-group vendor ipsec-attributes
  pre-shared-key *****

There are lots of other keywords you can include; for example, you can add 'vpn-idle-timeout 15' to the group-policy section and have the VPN logout after 15 minutes of idle time, you can add 'vpn-framed-ip-address' under the username attributes to assign an IP address to that user, and so on. But this framework will get you started... for more info, check out this link:

LVL 10

Expert Comment

ID: 24319997
Sorry about the typo... the first line should read "you need four pieces..."  - the three names and an ACL.

Author Comment

ID: 24322642
Thanks for your help on this. As you can see from my code, I've got most of this in place. I've got the access_list bits in place, too, but didn't quote them because it's just not getting that far. I can't get past the Cisco client asking for username and password. The only bit I haven't got is the vpn_filter value bit, but I don't think it's going to be that causing my problem?
Having spent some time reading up last night, I'm wondering if it's my AAA I've got wrong. I'll have access to the ASA in a couple of hours and I'll take another look.
I'll let you know how I get on.

Accepted Solution

seworby earned 0 total points
ID: 24325599
I have it working. Whether it's the right way or not is a different matter...
The key to it is to set up a user so it has a user in the database to allow the secondary authentication to authenticate against. It seems this isn't neceesary on the PIX but is on the ASA.
The vpn_filter value turned out in the end to be a bit of a red herring, as having it on prevent traffic from passing once connected.
username xzy password xyz123 privilege 2


Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now